Tuesday, December 3, 2024
HomeCyber AttackWinnti APT Hacker Group Attacks Video Gaming Companies Using PipeMon Malware

Winnti APT Hacker Group Attacks Video Gaming Companies Using PipeMon Malware

Published on

SIEM as a Service

Winnti group has been active at least since 2012 and specializes in cyberattacks against the online video game industry. The main goal of the hacker group is to steal the source code of online game projects as well as digital certificates.

The group is also responsible for high-profile supply-chain attacks against software companies that result in the distribution of trojanized software.

Winnti Group Attacks

Starting from 2019, the Winnti group started using PipeMon malware since 2019, to compromise various software companies.

- Advertisement - SIEM as a Service

ESET researchers observed that the current campaign targets video game developers who developing MMO (Massively Multiplayer Online) games based in South Korea and Taiwan.

The attacker tries to compromise the company’s build orchestration server which allows attackers to take control of the automated build systems. This would allow attackers to include arbitrary code of their choice in the video game executables.

ESET observed that the certificate used to sign the PipeMon installer, modules, and additional tools is linked to a video game company that was compromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.

The first stage of the malware is a password-protected RARSFX executable and the password is different from each sample.

Winnti APT Hacker Group

Once the password-protected file sis extracted, setup.exe main executable get’s executed, it’s purpose is to load the setup.dll file.

Following are the files with RARSFX

  • rLnc.dat – Encrypted payload
  • Duser.dll – Used for UAC bypass
  • osksupport.dll – Used for UAC bypass
  • PrintDialog.dll – Used for the malicious print processor initialization
  • PrintDialog.exe – Legitimate Windows executable used to load PrintDialog.dll
  • setup.dll – Installation DLL
  • setup.exe – Main executable

To maintain the persistence setup.dll registers the malicious DLL loader as an alternative Print Processor by adding registry keys.

Once it got registered it restarts the print spooler service (spoolsv.exe) so that the malicious DLL loader loads every time when spoolsv.exe starts.

C&C Communication

The module was named PipeMon as it contains inter-module communication, to its PDB path, and the name of the Visual Studio project named by developers.

ESET researchers observed that “Inter-module communication is performed via named pipes, using two named pipes per communication channel between each individual module, one for sending and one for receiving.”

The communication module with loader responsible for establishing C&C communication, all the data transferred are encrypted using RC4 with the hardcoded key Com!123Qasdz.

To initiate C&C communication following are the details shared first includes;

  • OS version
  • Physical addresses of connected network adapters concatenated with %B64_TIMESTAMP%
  • the victim’s local IP address
  • backdoor version/campaign ID; we’ve observed the following values
  • “1.1.1.4beat”
  • “1.1.1.4Bata”
  • “1.1.1.5”
  • Victim computer name

The malware modules are signed with Stolen valid code-signing certificate, now the certificate was revoked by the user after notification from ESET.

The new attack shows that Winnti Group uses a new set of tools using multiple open-source projects and they are targeting Massively Multiplayer Online developer companies.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...

Beware Of Malicious PyPI Packages That Inject infostealer Malware

Recent research uncovered a novel crypto-jacking attack targeting the Python Package Index (PyPI), where...